units: harden systemd-report-sign-plain@.service

Apply sandboxing. The plain backend's needs writable StateDirectory and
/dev/urandom for key generation. The service must stay root (the
private key is root-only), but everything else is locked down.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
This commit is contained in:
Paul Meyer
2026-06-24 12:43:40 +02:00
committed by Luca Boccassi
parent 15bee24d4f
commit 087b0ebb61

View File

@@ -19,3 +19,32 @@ WantsMountsFor=/var/lib/systemd/report.sign.plain
StateDirectory=systemd/report.sign.plain
StateDirectoryMode=0700
ExecStart={{LIBEXECDIR}}/systemd-report-sign-plain
CapabilityBoundingSet=
DeviceAllow=
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateIPC=yes
PrivateNetwork=yes
PrivateTmp=disconnected
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeMaxSec=5min
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
UMask=0077